arXiv:1509.05664v2 [cs.SE] 30 Nov 2016 


SPECIFICATION-BASED SYNTHESIS OF DISTRIBUTED 
SELF-STABILIZING PROTOCOLS 

FATHIYEH FAGHIH“, BORZOO BONAKDARPOUR\ SEBASTIEN TIXEUIL^ 
AND SANDEEP KULKARNI'* 


“University of Tehran, Iran 
e-mail address'. f.faghih@ut.ac.ir 

*’McMaster University, Canada 
e-mail address'. borzoo@mcmaster.ca 

“LIP6, UPMC Sorbonne Universites, France 
e-mail address'. Sebastien.Tixeuil@lip6.fr 

'^Michigan State University, USA 
e-mail address', sandeep@cse.msu.edu 


Abstract. In this paper, we introduce an SMT-based method that automatically synthe¬ 
sizes a distributed self-stabilizing protocol from a given high-level specihcation and network 
topology. Unlike existing approaches, where synthesis algorithms require the explicit de¬ 
scription of the set of legitimate states, our technique only needs the temporal behavior 
of the protocol. We extend our approach to synthesize ideal-stabilizing protocols, where 
every state is legitimate. We also extend our technique to synthesize monotonic-stabilizing 
protocols, where during recovery, each process can execute an action at most once. Our 
proposed methods are fully implemented and we report successful synthesis of well-known 
protocols such as Dijkstra’s token ring and a self-stabilizing version of Raymond’s mutual 
exclusion algorithm, ideal-stabilizing leader election and local mutual exclusion, as well as 
monotonic-stabilizing maximal independent set and distributed Grundy coloring. 


1. Introduction 

Self-stabilization has emerged as one of the prime techniques for forward fault recovery. 
A self-stabilizing protocol satisfies two requirements: (1) Convergence ensures that starting 
from any arbitrary state, the system reaches a set of legitimate states (denoted in the sequel 
by LS) with no external intervention within a finite number of execution steps, provided 
no new faults occur, and (2) closure indicates that the system remains in LS thereafter. 

As Dijkstra mentions in his belated proof of self-stabilization [^, designing self-stabilizing 
systems is a complex task, but proving their correctness is even more tedious. Thus, having 
access to automated methods (as opposed to manual techniques such as [^) for synthesiz¬ 
ing correct self-stabilizing systems is highly desirable. However, synthesizing self-stabilizing 
protocols incurs high time and space complexity . The techniques proposed in [H[3l[7l[l6] 

A preliminary version of the paper has appeared in |8|. 


LOGICAL METHODS © F. Faghih, B. Bonakdarpour, S. Tixeuil, and S. Kulkarni 

IN COMPUTER SCIENCE DOI:10.2168/LMCS-??? Creative Commons 


1 




attempt to cope with this complexity using heuristic algorithms, but none of these algo¬ 
rithms are complete; i.e., they may fail to find a solution although there exists one. 

1.1. Motivation. Recently, Faghih and Bonakdarpour proposed a sound and complete 
method to synthesize finite-state self-stabilizing systems based on SMT-solving. However, 
the shortcoming of this work as well as the techniques in p|[7||16] is that an explicit descrip¬ 
tion of LS is needed as an input to the synthesis algorithm. The problem is that developing 
a formal predicate for legitimate states is not at all a straightforward task. For instance, the 
predicate for the set of legitimate states for Dijkstra’s token ring algorithm with three-state 
machines for three processes is the following: 

LS = ((xo -h 1 =3 xi) A {xi + 1 ^3 X2)) V 
((xi = Xo) A (xi -h 1 ^3 X2)) V 
((xi + 1=3 Xo) A {xi + 1 ^3 X 2 )) V 
((xo + 1 ^3 xi) A {xi + l ^3 Xo) A (xi -M =3 X 2 )) 

where =3 denotes modulo 3 equality and variable x* belongs to process i. Obviously, 
developing such a predicate requires huge expertise and insight and is, in fact, the key to 
the solution. Ideally, the designer should only express the basic requirements of the protocols 
(i.e., the existence of a unique token and its fair circulation), instead of an obscure predicate 
such as the one above. 


1.2. Contributions. In this paper, we propose an automated approach to synthesize self- 
stabilizing systems given ( 1 ) the network topology, and ( 2 ) the high-level specification of 
legitimate states in the linear temporal logic (LTL). 

We also investigate automated synthesis of two important refinements of self-stabilization, 
namely ideal stabilization 


17 and monotonic stabilization 21 . Ideally stabilizing protO' 


cols |17| address two drawbacks of self-stabilizing protocols, namely exhibiting unpredictable 
behavior during recovery and poor compositional properties. In order to keep the specifi¬ 
cation as implicit as possible, the input LTL formula may include a set of uninterpreted 
predicates. In designing ideal-stabilizing systems, the transition relation of the system and 
interpretation function of uninterpreted predicates must be found such that the specifi¬ 
cation is satisfied in every state. Monotonic stabilization relates to the behavior of 
a self-stabilizing system during stabilization, as it mandates a participating processor to 
change its output at most once after a transient fault occurs. So, a legitimate state is 
reached after at most one output change at every node. Intuitively, monotonic stabilization 
prevents unnecessary oscillations during stabilization, and guarantees recovery in a mono¬ 
tonic way (the system always moves closer to a legitimate state). Generic approaches to 
monotonic stabilization 21 require huge memory and time resources as the monotonic sta¬ 


bilization layer is added to an existing protocol. Finding specific monotonically stabilizing 
protocols that are memory and time efficient is notoriously difficult, yet highly appealing. 
These difficulties further motivate the need for developing methods that can automatically 
synthesize distributed self-, ideal-, and monotonic-stabilizing protocols. 

Our synthesis approach is based on SMT-based bounded-synthesis [^; i.e., we trans¬ 
form the input specification into a set of SMT constraints. If the SMT instance is satisfiable, 
then a witness solution to its satisfiability encodes a distributed protocol that meets the 


2 




input specification and topology. If the instance is not satisfiable, then we are guaranteed 
that no protocol that satisfies the input specification exists. 

We also conduct several case studies using the model finder Alloy . In the case of self- 
stabilizing systems, we successfully synthesize Dijkstra’s token ring and Raymond’s |19| 
mutual exclusion algorithms without explicit legitimate states as input. We also synthesize 
ideal-stabilizing leader election and local mutual exclusion (in a line topology) protocols, as 
well as monotonic-stabilizing distributed maximal independent set protocols. 


Comparison to the conference version. A preliminary version of this article appeared in 36th 
International Conference on Conference on Formal Techniques for Distributed Objects, 
Components, and Systems (FORTE’16). This article extends the conference version as 
follows: 

• We extend our synthesis approach to synthesize monotonic-stabilizing protocols. 

• We conduct three case studies on synthesizing monotonic-stabilizing distributed 
maximal independent set and Grundy coloring. 

More precisely. Subsections |3.4[ [5.3.4[ and |6.3| are our added contributions. 

Organization. In Sections and we present the preliminary concepts on the shared- 
memory model and self-stabilization. Section formally states the synthesis problems. In 
Section we describe our SMT-based technique, while Section is dedicated to our case 
studies. We discuss the related work in Section and finally, we make concluding remarks 
and discuss future work in Section [H 

2. Model of Computation 

2.1. Distributed Programs. Throughout the paper, let F be a finite set of discrete vari¬ 
ables. Each variable v € V has a finite domain D^. A state is a mapping from each variable 
V £ V to a value in its domain We call the set of all possible states the state space. A 
transition in the program state space is an ordered pair (sq,.?!), where sq and si are two 
states. We denote the value of a variable v in state s by v{s). 

Definition 1. A process it over a set V of variables is a tuple II4-, T^r), where 

• Rn C F is the read-set of tt; i.e., variables that vr can read, 

• IFjr C is the write-set of vr; i.e., variables that vr can write, and 

• Rr is the set of transitions of vr, such that (sq, si) £ R- implies that for each variable 

V £ V, if n(so) / t(si), then v £ RR. □ 

Notice that Definition requires that a process can only change the value of a variable 
in its write-set (third condition), but not blindly (second condition). We say that a process 
vr = (Rtt, VEtt, Rr) is enabled in state sq if there exists a state si, such that (sq, si) G R-- 

Definition 2. A distributed program is a tuple T) = (JiD^Tv)) where 

• IIx) is a set of processes over a common set F of variables, such that: 

— for any two distinct processes vri, vr 2 G Tlx >, we have RRi n IF 7 r 2 = 0 


3 




— for each process vr G IIx) and each transition (so,si) G the following read 
restriction holds: 

V4,s'i : ((Vn G Rn : (f(so) = '^(4) ^(®i) = ''^(4))) 

(Vn ^ : n(4) = v{s[))) (s'q, s'l) G (2.1) 

• Tjy is the set of transitions and is the union of transitions of all processes: 

Tv= \J 

TTgllxi 

□ 

Intuitively, the read restriction in Definition imposes the constraint that for each process 
vr, each transition in depends only on reading the variables that vr can read. Thus, 
each transition is an equivalence class in Tx>, which we call a group of transitions. The key 
consequence of read restrictions is that during synthesis, if a transition is included (respec¬ 
tively, excluded) in Tx>, then its corresponding group must also be included (respectively, 
excluded) in Tx> as well. Also, notice that Tp is defined in such a way that R resembles 
an asynchronous distributed program, where process transitions execnte in an interleaving 
fashion. 

Example. We use the problem of distributed self-stabilizing mutual exclusion as a running 
example to describe the concepts throughout the paper. Let V = {co,ci,C 2 } be the set 
of variables, where Deg = = Dc 2 = {0,1,2}. Let V = (np,Tp) be a distributed 

program, where lip = {tto, vti, 7r2}. Each process vr* (0 < z < 2) can write variable c*. Also, 

i? 7 ro = {co,ci}, i? 7 ri = {co,ci,C 2 }, and i? 7 r 2 = {ci,C 2 }. Notice that following Definition 
and read/write restrictions of vro, (arbitrary) transitions 

tl = ([co = 1 , Cl = 1 , C2 = 0], [co = 2 , Cl = 1 , C2 = 0]) 

t2 = ([co = 1, Cl = 1, C 2 = 2], [co = 2, Cl = 1, C2 = 2]) 

are in the same group, since vro cannot read C 2 . This implies that if ti is included in the set 
of transitions of a distributed program, then so should be t 2 - Otherwise, execution of ti by 
vro depends on the value of C 2 , which, of course, vtq cannot read. 

Definition 3. A computation of D = (Lip, Tp) is an infinite sequence of states s = sqSi • • •, 
such that: (1) for all z > 0, we have (si,Sj+i) G Tp, and (2) if a computation reaches a 
state Si, from where there is no state s 7 ^ Sj, such that (sj,s) G Tp, then the computation 
stutters at Si indefinitely. Such a computation is called a terminating computation. □ 


2.2. Predicates. Let T) = (np,Tp) be a distributed program over a set V of variables. 
The global state space of V is the set of all possible global states of V\ 

Ep = ]^ 
vev 

The local state space of vr G Lip is the set of all possible local states of vr: 

Ett = Du 

Definition 4. An interpreted global predicate of a distributed program D is a subset of Ep 
and an interpreted local predicate is a subset of E.^-, for some vr G Dp. □ 

4 


Definition 5. Let T) = (JI'p^Td) be a distributed program. An uninterpreted global predi¬ 
cate up is an uninterpreted Boolean function from Sx). An uninterpreted local predicate Ip 
is an uninterpreted Boolean function from for some tt G liv- D 


The interpretation of an uninterpreted global predicate is a Boolean function from the 
set of all states: 

up\ : Sx) I—)■ {true, false} 

Similarly, the interpretation of an uninterpreted local predicate for the process vr is a 
Boolean function: 


Ipi : Sjr I— )> {true, false] 

Throughout the paper, we use ‘uninterpreted predicate’ to refer to either uninterpreted 
global or local predicate, and use global (local) predicate to refer to interpreted global 
(local) predicate. 


2.3. Topology. A topology specifies the communication model of a distributed program. 

Definition 6. A topology is a tuple T = {V, |n 7 -|, Rq-, W-j), where 

• y is a finite set of finite-domain discrete variables, 

• |n 7 -| G N>i is the number of processes, 

• Rf is a mapping {0... |n 7 -| — 1} i—>■ 2^from a process index to its read-set, 

• Wq- is a mapping {0... |n 7 -| — 1} 2^ from a process index to its write-set, such 

that Wq-{i) C Rq-{i), for all i (0 < i < |n 7 -| — 1). □ 

Definition 7. A distributed program V = (flxjjTx)) has topology 
T={V,\Ur\,RT,WT) iff 

• each process tt G H-d is defined over V 

• IHtpI = inri 

• there is a mapping s' : {0... |n 7 -| — 1} i—)• liqq such that 

Vz G {0... iBrl - 1} : {Rrii) = Rg[P)) A [Wrii] = 

□ 


3. Formal Characterization of Self- and Ideal-Stabilization 

We specify the behavior of a distributed self-stabilizing program based on (1) the functional 
specification, and (2) the recovery specification. The functional specification is intended to 
describe what the program is required to do in a fault-free scenario (e.g., mutual exclusion 
or leader election). The recovery behavior stipulates Dijkstra’s idea of self-stabilization in 
spite of distributed control [^. 


5 


3.1. The Functional Behavior. We use LTL 18 to specify the functional behavior of a 


stabilizing program. Since LTL is a commonly-known language, we refrain from presenting 
its syntax and semantics and continue with our running example (where F , G , X , and U 
denote the ‘finally’, ‘globally’, ‘next’, and ‘until’ operators, respectively). In our framework, 
an LTL formula may include uninterpreted predicates. Thus, we say that a program T) 
satisfies an LTL formula ip from an initial state in the set /, and write T),I \= p iff 
there exists an interpretation function for each uninterpreted predicate in (/?, such that all 
computations of P, starting from a state in I satisfy p. Also, the semantics of the satisfaction 
relation is the standard semantics of LTL over Kripke structures (i,e., computations of T) 
that start from a state in I). 


Example 3.1 Consider the problem of token passing in a ring topology (i.e., token ring), 
where each process vTi has a variable Cj with the domain Dc^ = {0,1, 2}. This problem has 
two functional requirements: 


Safety: The safety requirement for this problem is that in each state, only one process 
can execute. To formulate this requirement, we assume each process vrj is associated 
with a local uninterpreted predicate tki, which shows whether vr* is enabled. Let 
LP = {tki I 0 < i < n}. A process tt* can execute a transition, if and only if tki is 
true. The LTL formula, ^^tr, expresses the above requirement for a ring of size n: 


V^TR = Vi G {0 • • • n — 1} : (Vua/ G {0,1, 2} : (cj = val) => X{ci ^ val)) 


Using the set of uninterpreted predicates, the safety requirement can be expressed 
by the following LTL formula: 


V’safety — 3i G {0 • • • n 1} . (tiCj A Vj ^ i . ~'tkj^ 

Note that although safety requirements generally need the G operator, we do not 
need it, as every state in a stabilizing system can be an initial state. 

Fairness: This requirement implies that for every process tTj and starting from each 
state, the computation should reach a state, where is enabled: 


^fairness — Vi G {0 • • • n 1} • (F tki') 


Another way to guarantee this requirement is that processes get enabled in a clock¬ 
wise order in the ring, which can be formulated as follows: 

V’fairness = Vi G {0 ■ ■ ■ n 1} : {tki ^ X ^^(i+1 mod n)) 

Note that the latter approach is a stronger constraint, and would prevent us to 
synthesize bidirectional protocols, such as Dijkstra’s three-state solution. 

Thus, the functional requirements of the token ring protocol is 


V’TR — V’safety ^ V’fairness 

Observe that following Definition V’tr ensures deadlock-freedom as well. 


6 




Example 3.2. Consider the problem of local mutual exclusion on a line topology, where each 
process has a Boolean variable Cj. The requirements of this problem are as follows: 

Safety: In each state, (i) at least one process is enabled (i.e., deadlock-freedom), 
and (ii) no two neighbors are enabled (i.e., mutual exclusion). To formulate this 
requirement, we associate with each process vr^ a local uninterpreted predicate tki, 
which is true when vTj is enabled: 

V^LME = yi € {0 ■ ■ ■ n — 1} : tki ((ci X-iq) A (-iCj => Xc*)) 

Thus, LP = {tki I 0 < i < n} and the safety requirement can be formulated by 
the following LTL formula: 

V'safety = E {0 • • • n - 1} : tki) A (Vi E {0 • • • n - 2} : ^{tki A tfc(j+i))) 
Fairness: Each process is eventually enabled: 

^fairness — ^ {0 • • • n 1} . (F tki) 

Thus, the functional requirement of the local mutual exclusion protocol is 

V’LME — "^safety A V’fairness 

3.2. Self-Stabilization. A self-stabilizing system is one that always recovers a good 
behavior (typically, expressed in terms of a set of legitimate states), starting from any 
arbitrary initial state. 

Definition 8. A distributed program V = {Ilx>,Tx>) with the state space Ed is self- 
stabilizing for an LTL specihcation if iff there exists a global predicate LS (called the 
set of legitimate states), such that: 

• Functional behavior: F, LS |= if 

• Strong convergence: V, Tjx> |= F LS 

• Closure: V, 'Ed |= {LS X LS) □ 

Notice that the strong convergence property ensures that starting from any state, any 
computation converges to a legitimate state of F within a finite number of steps. The 
closure property ensures that execution of the program is closed in the set of legitimate 
states. In the sequel, we will omit the state space Ed and LTL specification fj, when they 
are clear from the context or they are irrelevant. 

3.3. Ideal-Stabilization. Self-stabilization does not predict program behavior during re¬ 
covery, which may be undesirable for some applications. A trivial way to integrate program 
behavior during recovery is to include it in the specification itself, then the protocol must 
ensure that every conhguration in the specification is legitimate (so, the only recovery be¬ 
haviors are those included in the specification). Such a protocol is ideal stabilizing [T7| . 

Definition 9. Let if be an LTL specification and F = {IId,Td) be a distributed program. 
We say that F is ideal stabilizing for if iff F, Ed |= V’- D 


7 


The existence of ideal stabilizing protocols for “classical” specifications (that only man¬ 
date legitimate states) is an intriguing question, as one has to find a “clever” transition 
predicate and an interpretation function for every uninterpreted predicate (if included in 
the specification), such that the system satisfies the specification. Note that there is a 
specification for every system to which it ideally stabilizes [17| , and that is the specification 
that includes all of the system computations. In this paper, we do the reverse; meaning 
that getting a specification tp, we synthesize a distributed system that ideally stabilizes to 
Ip. 


3.4. Monotonic-Stabilization. Monotonic stabilization 21 also relates to prescribing 


program behavior during recovery, as it requires every process to change its output at most 
once after a transient fault occurs. This simple requirement induces desirable properties 
for fault recovery. For example, processors cannot go back and forth between states: once 
an output has been changed, it remains so until a legitimate state is reached, improving 
stability while recovering. 

A generic approach to monotonic stabilization is for each process to collect output 
information at some distance that depends on the considered problem, and change its output 
only if it is absolutely sure that it should do so. The space and time required to implement 
such a scheme is huge, even for relatively simple problems. In order to design a viable 
monotonically stabilizing protocol, a problem specific approach is necessary. This indeed 
makes manual design of monotonic-stabilizing protocols a tedious task. 


Definition 10. A distributed program D = {HjjjT-xy) is monotonic-stabilizing iff 

• D is self-stabilizing with some set LS of legitimate states, and 

• every (recovery) computation s = sqSi ■ ■ ■ Sn of P, where for all i G [0,n — 1], we 
have Si G -^LS and Sn G LS, the following holds: 


3j G [0, n — 1] : dvr G liv '■ 3v G VFjr : v{sj) 7 ^ n(sj+i) 

V/c G [0, n - 1] - {j} : Vn G : v{sk) = v{sk+i) 


□ 


4. Problem Statement 

Our goal is to develop synthesis algorithms that take as input the (1) system topology, 
and (2) two LTL formulas ip and ip that involve a set LP of uninterpreted predicates, and 
generate as output a self- or ideal-stabilizing protocol. For instance, in token passing on 
a ring, V’TR includes safety and fairness, which should hold in the set of legitimate states, 
while (/9 tr is a general requirement that we specify on every uninterpreted predicate tki. 
Since in the case of self-stabilizing systems, we do not get LS as a set of states (global 
predicate), we refer to our problem as “synthesis of self-stabilizing systems with implicit 
LS\ 



Problem statement 1 (self/monotonic-stabilization). Given is 

(1) atopology T= (y, |n7-|,-Rr, ^r); 

(2) two LTL formulas (p and ip that involve a set LP of uninterpreted predicates. 
The synthesis algorithm is required to identify as output (1) a distributed program 

V = {Ilx>,Tx>), (2) an interpretation function for every local predicate Ip £ LP, and 
(3) the global state predicate LS, such that V has topology T, V, Sd |= p, and V is 
self/monotonic-stabilizing for ip. 

Problem statement 2 (ideal-stabilization). Given is 

(1) a topology T = {V,\Ur\,RT, Wr) 

(2) two LTL formulas p and ip that involve a set LP of uninterpreted predicates. 
The synthesis algorithm is required to generate as output (1) a distributed program 

V = {Ilx>,Tx>), and (2) an interpretation function for every local predicate Ip £ LP, 
such that V has topology T and V, Ex) |= {p A pj). 


5. SMT-based Synthesis Solution 


Our technique is inspired by our SMT-based work in [^. In particular, we transform the 
problem input into an SMT instance. An SMT instance consists of two parts: (1) a set of 
entity declarations (in terms of sets, relations, and functions), and (2) first-order modulo- 
theory constraints on the entities. An SMT-solver takes as input an SMT instance and 
determines whether or not the instance is satisfiable. If so, then the witness generated by the 
SMT solver is the answer to our synthesis problem. We describe the SMT entities obtained 


in our transformation in Subsection 5.1, SMT constraints appear in Subsections 5.2- 5.3 
Note that using our approach in [^, we can synthesize different systems considering types 
of timing models (i.e., synchronous and asynchronous), symmetric and asymmetric, as well 
as strong- and weak-stabilizing protocols. In a weak-stabilizing protocol there is only the 
possibility of recovery lllj . 


5.1. SMT Entities. Recall that the inputs to our problems include a topology T = 
{V,\II'y\,R'y,Wj'), and two LTL formulas on a set LP of uninterpreted predicates. Let 
D = (IIx), Tx>) denote a distributed program that is a solution to our problem. In our SMT 
instance, we include: 


• A set for each v £ V, which contains the elements in the domain of v. 

• A set Bool that contains the elements true and false. 


• A set called S, whose cardinality is 


n D, 

v&V 


This set represents the state space of 


the synthesized distributed program. 

• An uninterpreted function V-val for each variable u; i.e., v-val : S i—)■ 

• An uninterpreted function Iprval for each uninterpreted predicate Ip £ LP] i.e, 
Ip-val : S I—)■ Bool. 

• A relation Tj that represents the transition relation for process vrj in the synthesized 
program. 

• An uninterpreted function 7, from each state to a natural number (7 : 5 1—)• N). 
This function is used to capture convergence to the set of legitimate states. 


9 











• An uninterpreted function LS : S i—)• Bool. 

The last two entities are only included in the case of Problem Statement 1. 

Example. For Example |3.1[ we include the following SMT entities: 

• Dcq = Dci = Dc 2 = {0,1, 2}, Bool = {true, false}, set S, where IjSI = 27 

• CQjval : S I—)■ Dcq, ci.val : S i—)• Dc^, C2-val : S i—)• Dcq 

• To C S X S, Ti C S X S, T 2 C S X S , -f : , LS : Bool 


5.2. General SMT Constraints. 

5.2.1. State Distinction. Any two states differ in the value of some variable: 

VsojSiGS : (sq / Si) ^ (3u G E : vjval{so) vjval{si)) (5-1) 


5.2.2. Local Predicates Constraints. Let LP be the set of uninterpreted predicates used in 
formulas and -0. For each uninterpreted local predicate Ip.^, we need to ensure that its 
interpretation function is a function of the variables in the read-set of vr. To guarantee this 
requirement, for each G LP, we add the following constraint to the SMT instance: 

Vs, s' £ S : {\/v G Rn : (u(s) = u(s')) ^ (IPnis) = IPnis')) 

Example. For Example |3.1[ we add the following constraint for process vri: 

Vs, s' G 5 : (xo(s) = xo(s')) A (xi(s) = xi(s')) A (x 2 (s) = X 2 (s')) ^ 

{tki{s) = tki{s)) (5.2) 


5.2.3. Constraints for an Asynchronous System. To synthesize an asynchronous distributed 
program, we add the following constraint for each transition relation Tf. 


V(so,si)GTi : yv ^ W'T-{i) : V-val{so) = V-val{si) 


(5.3) 


Constraint 5.3 ensures that in each relation Tj, only process tt* can execute. By introducing 
|n 7 -| transition relations, we consider all possible interleaving of processes executions. 


5.2.4. Read Restrictions. To ensure that D meets the read restrictions given by T and 
Definition!^ we add the following constraint for each process index: 

V(so,si) G Ti : Vs'o,^ : ((Vu G R^ : (f(so) = ^^(4) '^(^i) = ''^(4))) 

(Vu 0 R^r : v(so) = v(s}))) (sq, s}) G R (5.4) 


5.3. Specific SMT Constraints for Self- and Ideal-Stabilizing Problems. Before 
presenting the constraints specific to each of our problem statements, we present the formu¬ 
lation of an LTL formula as an SMT constraint. We use this formulation to encode the if 
and ip formulas (given as input) as ifsMT and (fsMT, and add them to the SMT instance. 


10 



5.3.1. SMT Formulation of an LTL Formula. SMT formulation of an LTL formula is pre¬ 
sented in [To] . Below, we briefly discuss the formulation of LTL formulas without nested 
temporal operators. For formulas with nested operators, the formulation based on universal 
co-Biichi automata needs to be applied. 

SMT formulation of X: A formula of the form XP is translated to an SMT constraint as 
below B 

Vs, s'G 5 : Vi G {0,...,|nr| - 1} : {s,s')eTi => P(s') (5.5) 


SMT formulation of U : Inspired by bounded synthesis , for each formula of the form 
PUQ, we define an uninterpreted function 7 * : S' i—>■ N and add the following constraints to 
the SMT instance: 


Vs,s'gS : Vi G {0,...,|nr| - 1} : ^Qis) A is,s')£Ti => 
(P(s) A 7 i(s') > 7 i(s)) 


(5.6) 


VsGS : ^Q(s) ^ 3i G {0,...,|nr| - 1} : 3s' G S : (s, s') G T* (5.7) 
The intuition behind Constraints |5.6| and |5.7| can be understood easily. If we can assign 


a natural number to each state, such that along each outgoing transition from a state in 
-iQ, the number is strictly increasing, then the path from each state in -iQ should finally 
reach Q or get stuck in a state, since the size of state space is finite. Also, there cannot 
be any loops whose states are all in -iQ, as imposed by the annotation function. Finally, 
Constraint 5.7 ensures that there is no deadlock state in ->Q states. 


5.3.2. Synthesis of Self-Stabilizing Systems. In this section, we present the constraints spe¬ 
cific to Problem Statement I. 

Closure (CL): The formulation of the closure constraint in our SMT instance is as follows: 

Vs, s' G 5 : Vi G {0 • • • \Ur\- 1} : (L5(s) A (s, s') G Ti) => LS{s') (5.8) 


Strong Convergence {SC): Similar to the constraints presented in Section 5.3.1 


formulation for SC is an adaptation of the concept of bounded synthesis 
following constraints ensure strong self-stabilization in the resulting model: 


our SMT 
The two 


Vs, s' G 5 : Vi G {0 • • • |nr| - 1} : ^LS{s) A (s, s') G Ti ^ j{s') > 7 ( 5 ) (5.9) 

VsG5 : ^LS{s) => 3i G {0---|nr| - 1} : 3s' G 5 : (s, s') G (5.10) 


General Constraints on Uninterpreted Predicates: As mentioned in Section one of the 
inputs to our problem is an LTL formulas, (p describing the role of uninterpreted predicates. 
Considering psMT to be the SMT formulation of 7 ), we add the following SMT constraint 
to the SMT instance: 

Vs G S' : psMT (5-II) 


1 


Note that for a formula P, P{s) is acquired the by replacing each variable v with v{s). 


11 





Constraints on LS:. Another input to our problem is the LTL formula, V' that includes 
requirements, which should hold in the set of legitimate states. We formulate this formula 
as SMT constraints using the method discussed in Section |5.3.1[ Considering 'tpsMT to be 
the SMT formulation of the formula, we add the following SMT constraint to the SMT 
instance: 

Vs € S : LS{s) => tpSMT (5-12) 

Example. Continuing with Example |3.1[ we add the following constraints to encode 
Vs G 5 : Vi G {0 • • • n — 1} : tki{s) (Vj G {0 • • • n — 1} : j ^ i ^ 

$s' €S : (s,s') G Tj) 

Note that the asynchronous constraint does not allow change of Xi for Tj, where j ^ i. The 
other requirements of the token ring problem are ^/^safety and V'faimessi which should hold 
in the set of legitimate states. To guarantee them, the following SMT constraints are added 
to the SMT instance: 

Vs G 5 : LS{s) => (3i G {0 • • • n — 1} : {tki{s) A Mj^i: ->tkj{s))) 

Vs G S' : LS{s) Vi G {0---n-1} : (tA:i(s) A (s,s') G Tj) => mod n)('S') 


5.3.3. Synthesis of Ideal-Stabilizing Systems. We now present the constraints specific to 
Problem Statement 2. The only such constraints is related to the two LTL formulas ip and 
ip. To this end, we add the following to our SMT instance: 

Vs G S : ipsMT h.'f’SMT (5.13) 


Example. We just present V’lme for Example 3.2, as y?LME is similar to Example 3T 
Vs G S : (3i G {0 • • • n — 1} : {tki(s) A ^tkj{s))) 

Vs,s'gS : Vi, j G {0, ..., |nr| - 1 } : ^tki{s) A (s, s') G Tj 7i(s') > 7i(s) 


VsGS : Vi G {0,...,|nr|-1} : --tki{s) ^ 3j G {0,..., |nr| - 1} : 

3s' G S : (s, s') G Tj 

Note that adding a set of constraints to an SMT instance is equivalent to adding their 
conjunction. 


12 





5.3.4. Synthesis of Monotonic-Stabilizing Systems. In order to synthesize a 
monotonic-stabilizing protocol, we need to add a constraint to guarantee that in each re¬ 
covery path, each process gets executed at most once. In order to enforce this property, for 
each process vrj, we define a Boolean function 

flag^ : S —)• {true, false} 
and include the following constraint to the SMT instance: 

Vs, s' G S : Vz G {0,..., \Ur\ - 1} : {^LS{s) A (s, s') G Ti) (5.14) 

iflagiis ) A ^ flagiis ')) 


VsG5 : Vi,j G {0,...,|nr| - 1} : {^LS{s) Ai^ j A{s,s') £TjA (5.15) 

-^fladiis)) ^flagiis') 

The above two constraints guarantee that in every path starting from a state in ^LS, 
each process executes at most one. This can easily be proved by contradiction. Assume 
that in the set of executions of the resulting protocol, there exists a recovery path from a 
state in ^LS to a state in LS, in which a process (assume W.L.O.G tt^) executes more than 
once. Based on constraint 5.14, each time vTj gets executed, the flag flag^ should change 
from true to false. First time, executes, this change in the value of flag^ happens. Also, 
based on constraint 5.15, it is guaranteed that in the execution of any other process, flag^ 
does not change. Now, based on constraint 5.14, in the second execution of vrj, flag^ should 
change from true to false. But we concluded that fiag^ is already set to false, and cannot 
be changed by the execution of any other process, which is a contradiction. 


6. Case Studies and Experimental Results 


We used the Alloy 13 model finder tool for our experiments. Alloy performs the relational 


reasoning over quantifiers, which means that we did not have to unroll quantifiers over their 
domains. The results presented in this section are based on experiments on a machine with 
Intel Core i5 2.6 GHz processor with 8GB of RAM. We report our results in both cases of 
success and failure for finding a solution. Failure is normally due to the impossibility of 
self- or ideal-stabilization for certain problems. 


6.1. Case Studies for Synthesis of Self-Stabilizing Systems. 


6.1.1. Self-stabilizing Token Ring. Synthesizing a self-stabilizing system for Example 3.1 


leads to automatically obtaining Dijkstra three-state algorithm in a bi-directional ring. 
Each process tt* maintains a variable Xi with domain {0,1, 2}. The read-set of a process is 
its own and its neighbors’ variables, and its write-set contains its own variable. For example, 
in case of three processes for tti, Rr(l) = {xo,xi,X 2 } and ITr(l) = {xi}. Token possession 
and mutual exclusion constraints follow Example |3.1[ Table presents our results for 
different input settings. In the symmetric cases, we synthesized protocols with symmetric 
middle (not top nor bottom) processes. We present one of the solutions we found for the 


13 







^ of Processes 

Self-Stabilization 

Timing Model 

Symmetry 

Time (sec) 

3 

strong 

asynchronous 

asymmetric 

4.21 

3 

weak 

asynchronous 

asymmetric 

1.91 

4 

strong 

asynchronous 

asymmetric 

71.19 

4 

weak 

asynchronous 

asymmetric 

73.55 

4 

strong 

asynchronous 

symmetric 

178.6 


Table 1: Results for synthesizing Dijkstra’s three-state token ring. 


ik of Processes 

Self-Stabilization 

Timing Model 

Time (sec) 

3 

strong 

synchronous 

0.84 

4 

strong 

synchronous 

16.07 

4 

weak 

synchronous 

26.8 


Table 2: Resnlts for synthesizing mutual exclusion on a tree (Raymond’s algorithm). 

token ring problem in ring of three processesj^ First, we present the interpretation functions 
for the uninterpreted local predicates. 

tko Xq = X2, tki Xi ^ Xq, tk2 X2 7^ Xi 

Next, we present the synthesized transition relations for each process: 


TTo : 

(xo = X 2 ) - 

■7 Xo 

:= (xo + I) mod 3 

TTi : 

(xi 7 ^ xo) - 

7 Xi 

:= Xo 

TTi : 

(X2 7^ Xi) - 

7 X 2 

:= xi 


Note that our synthesized solution is similar to Dijkstra’s k-state solution. 

6.1.2. Mutual Exclusion in a Tree. In the second case study, the processes form a directed 
rooted tree, and the goal is to design a self-stabilizing protocol, where at each state of LS, 
one and only one process is enabled. In this topology, each process ttj has a variable hj with 
domain {i \ TTj is a neighbor of tTj} U {j}. If hj = j, then TTj has the token. Otherwise, 
hj contains the process id of one of the process’s neighbors. The holder variable forms a 
directed path from any process in the tree to the process currently holding the token. The 
problem specification is the following; 

Safety: We assume each process is associated with an uninterpreted local predicate 
tki, which shows whether is enabled. Thus, mutual exclusion is the following 
formula: 

V’safety = € {0 • • • n - 1} : (tki A Vj / i : ^tkj) 

Fairness: Each process vTi is eventually enabled: 

V’fairness = V* G {0 ■ ■ ■ n 1} : (F tki') 

The formula, V’R given as inpnt is V’R = '^/’safety A V’fairness 

Using the above specification, we synthesized a synchronous self-stabilizing systems, 
which resembles Raymond’s mutual exclusion algorithm on a tree [^. Table shows the 
experimental results. We present one of our solutions for token circnlation on a tree, where 

^We manually simplified the output of Alloy for presentation, although this task can be also automated. 


14 
























Figure 1: Self-stabilizing mutual exclusion in a tree of size 3 (Raymond’s algorithm). 

there is a root with two leaves. The interpretation functions for the uninterpreted local 
predicates are as follows: 

Vi : tki hi = i 

Another part of the solution is the transition relation. Assume vro to be the root 
process, and tti and 7r2 to be the two leaves of the tree. Hence, the variable domains are 
Dh, = {0,1,2}, Dh, = {0,1}, and = {0,2}. Fig. a shows the transition relation over 
states of the form (/iq, hi, h 2 ) as well as pictorial representation of the tree and token, where 
the states in LS are shaded. 


6.2. Case Studies for Synthesis of Ideal-Stabilizing Systems. 

6.2.1. Leader Election. In leader election, a set of processes choose a leader among them¬ 
selves. Normally, each process has a subset of states in which it is distinguished as the 
leader. In a legitimate state, exactly one process is in its leader state subset, whereas the 
states of all other processes are outside the corresponding subset. 

We consider line and tree topologies. Each process has a variable Ci and we consider 
domains of size two and three to study the existence of an ideal-stabilizing leader election 
protocol. To synthesize such a protocol, we associate an uninterpreted local predicate h for 
each process vTi, whose value shows whether or not the process is in its leader state. Based 
on the required specihcation, in each state of the system, there is one and only one process 
VTj, for which h = true: 

V’safety — G {0 ■ ■ ■ n 1} . (/j A Vj ^ i . ~'lj) 

The results for this case study are presented in Table In the topology column, the 
structure of the processes along with the domain of variables is reported. In the case of 4 
processes on a line topology and tree/2-state, no solution is found. The time we report in 
the table for these cases are the time needed to report unsatisfiability by Alloy. 

We present the solution for the case of three processes on a line, where each process 
vTj has a Boolean variable c^. Since the only specification for this problem is state-based 


15 





























a of Proc. 

Timing Model 

Topology 

Time (sec) 

3 

asynchronous 

hne/2-state 

0.034 

4 

asynchronous 

hne/2-state 

0.73 

4 

asynchronous 

hne/3-state 

115.21 

4 

asynchronous 

tree/2-state 

0.63 

4 

asynchronous 

tree/3-state 

12.39 


Table 3: Results for ideal stabilizing leader election. 


a of Proc. 

Timing Model 

Symmetry 

Time (sec) 

3 

asynchronous 

asymmetric 

0.75 

4 

asynchronous 

asymmetric 

24.44 


Table 4: Results for synthesizing ideal stabilizing local mutual exclusion. 

(safety), there is no constraint on the transition relations, and hence, we only present the 
interpretation function for each uninterpreted local predicate It. 

^o = (coA-.Ci) = (-.Co A-.Cl) V (ci A-.C 2 ) ?2 = (ciAC 2 ) 


6.2.2. Local Mutual Exclusion. Our next case study is local mutual exclusion, as discussed 
in Example 3.2. We consider a line topology in which each process vrj has a Boolean variable 
Ci. The results for this case study are presented in Table 

The solution we present for the local mutual exclusion problem corresponds to the case 
of four processes on a ring. Note that for each process tTj, when tki is true, the transition 
Tj changes the value of Cj. Hence, having the interpretation functions of tki, the definition 
of transitions Ti are determined as well. Below, we present the interpretation functions of 
the uninterpreted local predicates tki. 

tkQ = (co A Cl) V (-.Co A -.Cl) 
tki = (-.Co A Cl A C 2 ) V (co A -.Cl A -.C 2 ) 
tk 2 = (-.Cl A C2 A -.C3) V (ci A -.C2 A C3) 
tka = (c2 A C3) V (-.C2 A -.C3) 


6.3. Case Studies for Synthesis of Monotonic-Stabilizing Systems. 

6.3.1. Maximal Independent Set. Given an undirected graph G = {V,E), we say that S CV 
is an independent set of G, if no two vertices in S share an edge in E. The set S' is a maximal 
independent set (MIS), if it is not a proper subset of any other independent set. We use 
a similar topology as used in the literature [^. Assuming processes to be the vertices 
of the graph, we consider a Boolean variable Indi for each process vTj. The value of Indi 
determines whether or not ni is part of the independent set or not. A legitimate state is the 
one where processes with true values of their Ind variables form an independent set. For 
example, considering a ring of four processes, the set of legitimate states can be specified 
by the following predicate: 


16 



















H of Proc. 

Timing Model 

Symmetry 

Time (sec) 

Result 

3 

asynchronous 

asymmetric 

0.35 

sat 

3 

asynchronous 

symmetric 

0.09 

sat 

3 

synchronous 

asymmetric 

0.08 

sat 

4 

asynchronous 

asymmetric 

1.35 

sat 

4 

asynchronous 

symmetric 

0.9 

unsat 

5 

asynchronous 

asymmetric 

6.33 

sat 

6 

asynchronous 

asymmetric 

63.24 

sat 


Table 5: Results for monotonic stabilizing maximal independent set in ring. 


{Indo{s) A ->Indi{s) A Ind2{s) A ^Ind^{s)) V 
{-iIndo{s) A Indi{s) A ->Ind2{s) A Ind3{s)) 

In this case study, our goal is to synthesize monotonic-stabilizing MIS protocols for 
ring topologies, where each process can read its own variable, as well as the variables of 
its neighbors, and can only write to its own variable. The results of this case study are 
presented in Table The last column indicates whether or not Alloy is able to find a 
solution. Note that since our method is complete, unsatisfiability means that there exists 
no protocol satisfying the specified requirements. The following is the synthesized symmetric 
asynchronous protocol for the case of three processes in a ring topology. Note that in the 
case of symmetric protocol, all processes execute similarly. 

TTi : -^Indi A -<Indi A ^Indr —>• Indi := true 

Indi A Indi —>• Indi ■= false 

In the above synthesized protocol, r is the index of the right process, or r = (z + 1) mod 3, 
and I is the index of the left process, or I = (i — 1) mod 3. With a simple observation of 
the above synthesized protocol, we can see that in any path starting from a non-legitimate 
state, each process takes at most one action. We also present one of the solutions for the 
case of 4 processes in a ring topology. 


TTo : 

Indo A Inds 


Indo 

= false 

TTi : 

-i/ndi A ^Ind2 


Indi 

= true 

712 : 

Ind 2 A Inds 

—)• 

Ind2 

= false 


Ind 2 A ^Ind^ A Indi 


Ind2 

= false 

713 : 

^Inds A -i/ndo 


Indo 

= true 


-^Inds A Indo A ^Ind 2 

—)• 

Indo 

= true 


6.3.2. Maximal Independent Set in Unidirectional Rings. Yamauchi and Tixeuil [21] state 
that monotonic stabilization requires additional information exchange between processes. 
In our second case study, we attempt to limit information exchange in maximal independent 
set and see whether we can still synthesize monotonic-stabilizing protocols for this problem. 
We considered unidirectional rings for this case study. In other words, each process can 
only read its own variable and the variable of its left process, and can write to its own 


17 

















# of Proc. 

Timing Model 

Symmetry 

Time (sec) 

Result 

3 

asynchronous 

asymmetric 

0.06 

unsat 

3 

asynchronous 

symmetric 

0.05 

unsat 

3 

synchronous 

asymmetric 

0.07 

sat 

4 

asynchronous 

asymmetric 

0.74 

sat 

4 

asynchronous 

symmetric 

0.44 

unsat 

5 

asynchronous 

asymmetric 

8.73 

unsat 

6 

asynchronous 

asymmetric 

85.14 

sat 


Table 6 : Results for monotonic stabilizing maximal independent set in unidirectional ring. 

variable. For example, for a ring of three processes, = {/ndo; Ind 2 } and = {Indo}. 
The results for this case study are presented in Table As can be seen, for the case of 
asymmetric asynchronous topologies, a protocol is found for rings of even size (4 and 6 ), 
but not for rings of odd size (3 and 5). Although, we cannot generalize our solution, but 
it can give an intuition to protocol designers for a general monotonic-stabilizing protocol 
to solve maximal independent in unidirectional rings. For the case of synchronous protocol 
with three processes, we synthesized the following solution: 


TTo : 

true 


Indo 

:= false 

TTi : 

true 


Indi 

:= false 

712 : 

true 

—)• 

Ind2 

:= true 


As can be simply observed, the synthesized topology takes every state (legitimate or 
non-legitimate) to one state {false, false, true). A question that may raise for the reader is 
that why similar protocol does not work in the case of asynchronous systems. The answer is 
that in the case of asynchronous systems, each step of the system is the execution of exactly 
one process, and hence, one execution of such a protocol may take the system from LS 
to a non-legitimate state (closure violation). For example, asynchronous execution of the 
synthesized actions for the synchronous case will take the system from {true, false, false), 
which is legitimate to {false, false, false), which is non-legitimate (the first action is taken). 

6.3.3. Grundy Coloring. Our third case study is the problem of Grundy coloring. Consid¬ 
ering a graph G = {V,E), and a coloring function 

color : F —)• [1, A;] 

a vertex u G R is called a Grundy node if 

color{v) = min{/ G [1, A:] | Vu : {v,u) G E {color{u) / 1)} 

Simply speaking, v is colored with the smallest color not taken by any neighbor. A Grundy 
coloring for a graph is one in which every node is a Grundy node. 

To synthesize a monotonic-stabilizing protocol for this problem, we consider a set of 
processes as the nodes of the graph, such that each process has a color variable. The designer 
can specify the domain of the color variables. Each process can read its own variable, and 
the variables of its neighbors, and can write to its own variable. The set of legitimate states 
are those, in which each process is a Grundy node. For example, considering a ring of 4 


18 
















processes, where the domain of color variables is {1,2,3}, the set of legitimate states can 
be specified by the following predicate: 


Mi G {0,1,2,3} : {colori{s) / color a){s)) A 

(coloriis) = 2 ^ (co/or(i+i^orf 4 )(s) = 1 V color= 1)) A 
(coloriis) = 3 ^ {{color^i+imod4.){s) = 2 V co/or(i_i ^orf 4 )(s) = 2) A 
{color(^i+i mod4){s) = 1 V color^i_imod4){s) = 1))) 

Note that the last three lines of the above predicate are ensuring that the assigned color to 
each node is the minimum available one. Our results for this case study are presented in 
Table Our synthesized protocol for the case of a symmetric protocol with three processes 
in a ring is the following: 




{color i 
{color i 
{color i 
{color i 
{color i 
{color i 


1) A {colori 7 ^ 2) A {color^ = 1) —)■ 

1) A {colori = 2) A {colorr = 1) —)■ 

3) A {colori = 3) A {colorr 7 ^ 2) —)■ 

3) A {colori = 2) A {colorr = 3) — )■ 

2) A {colori = 2) A {colorr = 3) — )■ 

2) A {colori 7 ^ 3) A {colorr = 2) —)> 


colori 

= 2 

colori 

= 3 

colori 

= 2 

colori 

= 1 

colori 

= 1 

colori 

= 3 


In the above synthesized protocol, r is the index of the right process, or r = (i + 1) mod 3, 
and I is the index of the left process, or / = (z — 1) mod 3. Note that in this case, Grundy 
coloring is the same as the three-coloring problem [12| . 

We also present our synthesized model for the case of asynchronous protocol with 4 
processes in a line topology: 


TTo : 

{colors 7^ 1) A {colori = 3) 

—)• 

colorQ 

= 1 


{colors = 3) A {colori = 1) 

—)• 

colorQ 

= 2 

TTi : 

{colorQ = 3) A {colori = 2) 

—)• 

colori 

= 3 


{coloro = 2) A {colori = 2) 

—)• 

colori 

= 1 


{colorQ = 1) A {colori 7^ 3) A {color 2 = 2) 


colori 

= 3 


{colorQ = 1) A {colori = 1) A {color 2 7^ 2) 

—)■ 

colori 

= 3 

712 : 

{colori = 3) A {color 2 7^ 2) A {color^ = 1) 

—)• 

color2 

= 2 


{colori 7^ 2) A {color 2 = 1) A {color^ = 2) 

—)• 

color2 

= 2 


{colori 7^ 3) A {color 2 = 1) A {colors = 1) 

—)• 

color2 

= 2 


{colori = 1) A {color 2 = 3) A {colors 7^ 2) 

—)• 

color2 

= 2 

713 : 

{color 2 7^ 1) A {colors 7^ 1) 

—)• 

colors 

= 1 


{color 2 = 1) A {colors = 3) 

—)• 

colors 

= 1 


19 




^ of Proc. 

Timing Model 

Topology 

Symmetry 

Time (sec) 

Result 

3 

asynchronous 

ring 

asymmetric 

3.02 

sat 

3 

asynchronous 

ring 

symmetric 

2.89 

sat 

3 

synchronous 

ring 

asymmetric 

4.29 

sat 

3 

asynchronous 

line 

asymmetric 

3.93 

sat 

4 

asynchronous 

ring 

asymmetric 

102.46 

sat 

4 

asynchronous 

ring 

symmetric 

152.69 

unsat 

4 

asynchronous 

line 

asymmetric 

144.16 

sat 


Table 7: Results for monotonic stabilizing Grundy coloring. 
7. Related Work 


7.1. Bounded Synthesis. In bounded synthesis 10 , given is a set of LTL properties, a 


system architecture, and a set of bounds on the size of process implementations and their 
composition. The goal is to synthesize an implementation for each process, such that their 
composition satisfies the given specification. The properties are translated to a universal 
co-Biichi automaton, and then a set of SMT constraints are derived from the automaton. 
Our work is inspired by this idea for finding the SMT constraints for strong convergence 
and also the specification of legitimate states. For other constraints, such as the ones for 
synthesis of weak convergence, asynchronous and symmetric systems, we used a different 
approach from bounded synthesis. The other difference is that the main idea in bounded 
synthesis is to put a bound on the number of states in the resulting state-transition systems, 
and then increase the bound if a solution is not found. In our work, since the purpose is to 
synthesize a self-stabilizing system, the bound is the number of all possible states, derived 
from the given topology. 


7.2. Synthesis of Self-Stabilizing Systems. In [15] , the authors show that adding strong 
convergence is NP-complete in the size of the state space, which itself is exponential in the 
size of variables of the protocol. Ebnenasir and Farahat also proposed an automated 
method to synthesize self-stabilizing algorithms. Our work is different in that the method 
in is not complete for strong self-stabilization. This means that if it cannot find a solution, 
it does not necessarily imply that there does not exist one. However, in our method, 
if the SMT-solver declares “unsatisfiability”, it means that no self-stabilizing algorithm 
that satisfies the given input constraints exists. A complete synthesis technique for self- 
stabilizing systems is introduced in [^. The limitations of this work compared to ours 
is: (1) Unlike the approach in 16 , we do not need the explicit description of the set of 
legitimate states, and (2) The method in 16 needs the set of actions on the underlying 


variables in the legitimate states. We also emphasize that although our experimental results 
deal with small numbers of processes, our approach can give key insights to designers of 
self-stabilizing protocols to generalize the protocol for any number of processes |14j . 

Another line of research is the work in |^. The authors in this paper also introduce 
a technique to synthesize self-stabilizing protocols based on bounded synthesis, but their 
main focus is on Byzantine failures. To this end, they use a counterexample-guided inductive 
synthesis loop for networks of hxed size. 


20 



















7.3. Automated Addition of Fault-Tolerance. The proposed algorithm in synthe¬ 
sizes a fanlt-tolerant distribnted algorithm from its fanlt-intolerant version. The distinction 
of onr work with this study is ( 1 ) we emphasize on self-stabilizing systems, where any system 
state could be reachable due to the occurrence of any possible fault, ( 2 ) the input to our 
problem is just a system topology, and not a fault-intolerant system, and (3), the proposed 
algorithm in is not complete. 


8. Conclusion 


In this paper, we proposed an automated SMT-based technique for synthesizing self- and 
ideal-stabilizing algorithms. In both cases, we assume that only a high-level specification 
of the algorithm is given in the linear temporal logic (LTL). In the particular case of self¬ 
stabilization, this means that the detailed description of the set of legitimate states is not 
required. This relaxation is signihcantly beneficial, as developing a detailed predicate for 
legitimate states can be a tedious task. Our approach is sound and complete for finite- 
state systems; i.e., it ensures correctness by construction and if it cannot find a solution, 
we are guaranteed that there does not exist one. We demonstrated the effectiveness of our 
approach by automatically synthesizing Dijkstra’s token ring, Raymond’s mutual exclusion, 
and ideal-stabilizing leader election and local mutual exclusion algorithms. 

We note that our approach can be easily extended to incorporate additional properties 
of self-stabilizing systems. For instance, one can impose a worst-case recovery time by 
require an upperbound on the number of recovery steps. This can ve simply achieved by 


including a constraint on the 7 * function (i.e.. Constraint 5.6). 


For future, we plan to work on synthesis of probabilistic self-stabilizing systems. An¬ 
other challenging research direction is to devise synthesis methods where the number of 
distributed processes is parameterized as well as cases where the size of state space of pro¬ 
cesses is inhnite. We note that parameterized synthesis of distributed systems, when there 
is a cut-off point is studied in [^. Our goal is to study parameterized synthesis for self- 
stabilizing systems, and we plan to propose a general method that works not just for cases 
with cut-off points. We would also like to investigate the application of techniques such 
as counter-example guided inductive synthesis to improve the scalability of the synthesis 
process. 


9. Acknowledgments 

This research was supported in part by Canada NSERC Discovery Grant 418396-2012 and 
NSERC Strategic Grant 430575-2012. 


References 

[ 1 ] F. Abujarad and S. S. Kulkarni. Multicore constraint-based automated stabilization. In Stabilization, 
Safety, and Security of Distributed Systems (SSS), pages 47-61, 2009. 

[2] R. Bloem, N. Braud-Santoni, and Swen Jacobs. Synthesis of self-stabilising and byzantine-resilient 
distributed systems. In Proceedings of the 28th International Conference on Computer Aided Verification 
(CAV), pages 157-176, 2016. 

[3] B. Bonakdarpour, S. S. Kulkarni, and F. Abujarad. Symbolic synthesis of masking fault-tolerant pro¬ 
grams. Springer Journal on Distributed Computing, 25(1):83-108, March 2012. 

[4] Murat Demirbas and Anish Arora. Specihcation-based design of self-stabilization. IEEE Transactions 
on Parallel Distributed Systems, 27(l):263-270, 2016. 


21 



[5] E. W. Dijkstra. Self-stabilizing systems in spite of distributed control. Communications of the ACM, 
17(ll):643-644, 1974. 

[6] E. W. Dijkstra. A belated proof of self-stabilization. Distributed Computing, l(l):5-6, 1986. 

[7] A. Ebnenasir and A. Earahat. A lightweight method for automated design of convergence. In Interna¬ 
tional Parallel and Distributed Processing Symposium (IPDPS), pages 219-230, 2011. 

[8] E. Faghih, B. Bonakdarpour, S. Tixeuil, and S. Kulkarni. Specification-based synthesis of distributed 
self-stabilizing protocols. In Proceedings of the 36th IFIP WG 6.1 International Conference on Formal 
Techniques for Distributed Objects, Components, and Systems (FORTE), pages 124-141, 2016. 

[9] Eathiyeh Faghih and Borzoo Bonakdarpour. SMT-based synthesis of distributed self-stabilizing systems. 
ACM Transactions on Autonomous and Adaptive Systems (TAAS), 10(3):21, 2015. 

[10] B. Finkbeiner and S. Schewe. Bounded synthesis. International .lournal on Software Tools for Technology 
Transfer (STTT), 15(5-6):519-539, 2013. 

[11] M. G. Gouda. The theory of weak stabilization. In International Workshop on Self-Stabilizing Systems, 
pages 114-123, 2001. 

[12] M. G. Gouda and H. B. Acharya. Nash equilibria in stabilizing systems. In Stabilization, Safety, and 
Security of Distributed Systems (SSS), pages 311-324, 2009. 

[13] D. Jackson. Software Abstractions: Logic, Language, and Analysis. MIT Press Gambridge, 2012. 

[14] S. Jacobs and R. Bloem. Parameterized synthesis. Logical Methods in Computer Seience, 10(1), 2014. 

[15] A. Klinkhamer and A. Ebnenasir. On the complexity of adding convergence. In Fundamentals of Software 
Engineering (FSEN), pages 17-33, 2013. 

[16] A. Klinkhamer and A. Ebnenasir. Synthesizing self-stabilization through superposition and backtrack¬ 
ing. In Stabilization, Safety, and Security of Distributed Systems (SSS), pages 252-267, 2014. 

[17] Mikhail Nesterenko and Sebastien Tixeuil. Ideal stabilisation. IJGUC, 4(4):219-230, 2013. 

[18] A. Pnueli. The temporal logic of programs. In Symposium on Foundations of Computer Science (FOCS), 
pages 46-57, 1977. 

[19] Kerry Raymond. A tree-based algorithm for distributed mutual exclusion. ACM Transactions on Com¬ 
puter Systems, 7(l):61-77, 1989. 

[20] S. K. Shukla, D. J. Rosenkrantz, and S. S. Ravi. Observations on self-stabilizing graph algorithms for 
anonymous networks. In Proceedings of the Second Workshop on Self-Stabilizing Systems, volume 7, 
page 15, 1995. 

[21] Y. Yamauchi and S. Tixeuil. Monotonic stabilization. In On Principles of Distributed Systems 
(OPODIS), pages 475-490, 2010. 


22 



